131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45

Analysis

max time kernel
151s
max time network
84s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe
Size

687KB
MD5

5349282420c16ff192c08775a152b530
SHA1

05d0906c46da03c37574240b8d8bf447f0edef31
SHA256

131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45
SHA512

cc28e186e1c52ef56f9d9c84ed6f9cd84e8a44b2d470dc139a4d2725dd7d02e3105bbf6dd711c6203a7f59bad31f4ed9310e3e8ef57587908e2de7d0f2e867cb
SSDEEP

12288:VHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:VDgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ujlofoc.exe~DFA57.tmphyuwboc.exe

pid process

2012 ujlofoc.exe
1560 ~DFA57.tmp
916 hyuwboc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1452 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exeujlofoc.exe~DFA57.tmp

pid process

1996 131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe
2012 ujlofoc.exe
1560 ~DFA57.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2012	ujlofoc.exe
1560	~DFA57.tmp
916	hyuwboc.exe

pid	process
1452	cmd.exe

pid	process
1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe
2012	ujlofoc.exe
1560	~DFA57.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

hyuwboc.exe

pid	process
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe
916	hyuwboc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

~DFA57.tmp

description pid process

Token: SeDebugPrivilege 1560 ~DFA57.tmp

description	pid	process
Token: SeDebugPrivilege	1560	~DFA57.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exeujlofoc.exe~DFA57.tmp

description	pid	process	target process
PID 1996 wrote to memory of 2012	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	ujlofoc.exe
PID 1996 wrote to memory of 2012	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	ujlofoc.exe
PID 1996 wrote to memory of 2012	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	ujlofoc.exe
PID 1996 wrote to memory of 2012	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	ujlofoc.exe
PID 2012 wrote to memory of 1560	2012	ujlofoc.exe	~DFA57.tmp
PID 2012 wrote to memory of 1560	2012	ujlofoc.exe	~DFA57.tmp
PID 2012 wrote to memory of 1560	2012	ujlofoc.exe	~DFA57.tmp
PID 2012 wrote to memory of 1560	2012	ujlofoc.exe	~DFA57.tmp
PID 1996 wrote to memory of 1452	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	cmd.exe
PID 1996 wrote to memory of 1452	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	cmd.exe
PID 1996 wrote to memory of 1452	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	cmd.exe
PID 1996 wrote to memory of 1452	1996	131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe	cmd.exe
PID 1560 wrote to memory of 916	1560	~DFA57.tmp	hyuwboc.exe
PID 1560 wrote to memory of 916	1560	~DFA57.tmp	hyuwboc.exe
PID 1560 wrote to memory of 916	1560	~DFA57.tmp	hyuwboc.exe
PID 1560 wrote to memory of 916	1560	~DFA57.tmp	hyuwboc.exe

C:\Users\Admin\AppData\Local\Temp\131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe
"C:\Users\Admin\AppData\Local\Temp\131c66e11c7837ee963eb63917416d085c4d290bf89ca78b4b485d75ecc00c45.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\ujlofoc.exe
  C:\Users\Admin\AppData\Local\Temp\ujlofoc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\hyuwboc.exe
      "C:\Users\Admin\AppData\Local\Temp\hyuwboc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
fccb7de0664cb52883d6d048a907444b

SHA1
bd4482b3d28d1e7327669bdc8d9cfc29790ae33c

SHA256
da223929f1c03dd251a1ba7a801f8e8783e2710d28e724a593c2607a14b8c034

SHA512
1b798ef6bb845e33e4c30d47bed14cecf98211660778d50692c7f1176315e0210fa379aea6de910d88acf8dd30b804c2efeffd977769a7b348691972d6095627

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
12fb0bfb21105057d50ff7b9a2f2346c

SHA1
57b483e1e140a4dfc6d2525de0a71c04052bf7de

SHA256
cdd0b1a599d4ab5cfc243905300048df9fc74ea3b3c5500c61e24e8326f2943a

SHA512
ae64b43fd44717f2f64349cd41340b6953a2844c69c2e5d93c89bccabb81a639c66ac520a86f9a84385d418041ff49a8f641d56e71803f5ee20ef6c7ccd7731e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyuwboc.exe

Filesize
419KB

MD5
12b002b86e2ec9eadc40a569b57830bf

SHA1
bdbf9067fdca6c99c296876d1d84e75944de2e7c

SHA256
ff0bfa34723af9005e335bb703bf98fb5b922667811ef66e664e58c16447689d

SHA512
d0d587d52be8741078e2928ccb80278a5bb8094520c49d5c8a6d371671ac8b5914846a424a4d5507701b2728819bc06c77a68533b245e71dd14421b6e6f2975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujlofoc.exe

Filesize
694KB

MD5
955713729d4e1d8d0d2f49b4f67190bc

SHA1
5e3c0f0a227238e61001f5943171a3bcf0a3d805

SHA256
d1a7f3c74e6716997e281fbe0e5344133dec98766b9779c5f739501d3b39e6a7

SHA512
287fa1e699b09a3a3790a0a1a2c489451c100cfc16b05f4e4b2fa1b19886d3b229d1a4532277e0f9650d09d1869ed1cd5effb1f803ff28c1312b426fb1c6c13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujlofoc.exe

Filesize
694KB

MD5
955713729d4e1d8d0d2f49b4f67190bc

SHA1
5e3c0f0a227238e61001f5943171a3bcf0a3d805

SHA256
d1a7f3c74e6716997e281fbe0e5344133dec98766b9779c5f739501d3b39e6a7

SHA512
287fa1e699b09a3a3790a0a1a2c489451c100cfc16b05f4e4b2fa1b19886d3b229d1a4532277e0f9650d09d1869ed1cd5effb1f803ff28c1312b426fb1c6c13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
702KB

MD5
2763936fab74dada3f81326bdf6209d0

SHA1
746b6a5b5432a2b117cdb18662440583c08d6c53

SHA256
c6423a1bd5e95ac064a6fada73fcfc8026c754373890dcaf3e3b2ed566241181

SHA512
07e54cbe850d41f15c7f657e179163251881a3f26a723b0c7b486521dd2494193fb1407a62dc15f98ccea4a113da593cde5d31519f1ee85d0e4b97bf640302cc

Download Submit
\Users\Admin\AppData\Local\Temp\hyuwboc.exe

Filesize
419KB

MD5
12b002b86e2ec9eadc40a569b57830bf

SHA1
bdbf9067fdca6c99c296876d1d84e75944de2e7c

SHA256
ff0bfa34723af9005e335bb703bf98fb5b922667811ef66e664e58c16447689d

SHA512
d0d587d52be8741078e2928ccb80278a5bb8094520c49d5c8a6d371671ac8b5914846a424a4d5507701b2728819bc06c77a68533b245e71dd14421b6e6f2975a

Download Submit
\Users\Admin\AppData\Local\Temp\ujlofoc.exe

Filesize
694KB

MD5
955713729d4e1d8d0d2f49b4f67190bc

SHA1
5e3c0f0a227238e61001f5943171a3bcf0a3d805

SHA256
d1a7f3c74e6716997e281fbe0e5344133dec98766b9779c5f739501d3b39e6a7

SHA512
287fa1e699b09a3a3790a0a1a2c489451c100cfc16b05f4e4b2fa1b19886d3b229d1a4532277e0f9650d09d1869ed1cd5effb1f803ff28c1312b426fb1c6c13e

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA57.tmp

Filesize
702KB

MD5
2763936fab74dada3f81326bdf6209d0

SHA1
746b6a5b5432a2b117cdb18662440583c08d6c53

SHA256
c6423a1bd5e95ac064a6fada73fcfc8026c754373890dcaf3e3b2ed566241181

SHA512
07e54cbe850d41f15c7f657e179163251881a3f26a723b0c7b486521dd2494193fb1407a62dc15f98ccea4a113da593cde5d31519f1ee85d0e4b97bf640302cc

Download Submit
memory/916-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/916-76-0x0000000000000000-mapping.dmp

Download
memory/1452-66-0x0000000000000000-mapping.dmp

Download
memory/1560-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1560-72-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1560-63-0x0000000000000000-mapping.dmp

Download
memory/1560-79-0x0000000003580000-0x00000000036BE000-memory.dmp

Filesize
1.2MB

Download
memory/1996-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1996-68-0x0000000000720000-0x00000000007FE000-memory.dmp

Filesize
888KB

Download
memory/1996-67-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1996-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-70-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-71-0x0000000002C50000-0x0000000002D2E000-memory.dmp

Filesize
888KB

Download
memory/2012-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download